bitcoinjs-lib/test/integration/stealth.js

/* global describe, it */

let assert = require('assert')
let bigi = require('bigi')
let bitcoin = require('../../')

let ecurve = require('ecurve')
let secp256k1 = ecurve.getCurveByName('secp256k1')
let G = secp256k1.G
let n = secp256k1.n

// TODO: remove
let baddress = bitcoin.address
let bcrypto = bitcoin.crypto
function getAddress (node) {
  return baddress.toBase58Check(bcrypto.hash160(node.getPublicKeyBuffer()), bitcoin.networks.bitcoin.pubKeyHash)
}

// vG = (dG \+ sha256(e * dG)G)
function stealthSend (e, Q) {
  var eQ = Q.multiply(e) // shared secret
  var c = bigi.fromBuffer(bitcoin.crypto.sha256(eQ.getEncoded()))
  var cG = G.multiply(c)
  var vG = new bitcoin.ECPair(null, Q.add(cG))

  return vG
}

// v = (d + sha256(eG * d))
function stealthReceive (d, eG) {
  var eQ = eG.multiply(d) // shared secret
  var c = bigi.fromBuffer(bitcoin.crypto.sha256(eQ.getEncoded()))
  var v = new bitcoin.ECPair(d.add(c).mod(n))

  return v
}

// d = (v - sha256(e * dG))
function stealthRecoverLeaked (v, e, Q) {
  var eQ = Q.multiply(e) // shared secret
  var c = bigi.fromBuffer(bitcoin.crypto.sha256(eQ.getEncoded()))
  var d = new bitcoin.ECPair(v.subtract(c).mod(n))

  return d
}

// vG = (rG \+ sha256(e * dG)G)
function stealthDualSend (e, R, Q) {
  var eQ = Q.multiply(e) // shared secret
  var c = bigi.fromBuffer(bitcoin.crypto.sha256(eQ.getEncoded()))
  var cG = G.multiply(c)
  var vG = new bitcoin.ECPair(null, R.add(cG))

  return vG
}

// vG = (rG \+ sha256(eG * d)G)
function stealthDualScan (d, R, eG) {
  var eQ = eG.multiply(d) // shared secret
  var c = bigi.fromBuffer(bitcoin.crypto.sha256(eQ.getEncoded()))
  var cG = G.multiply(c)
  var vG = new bitcoin.ECPair(null, R.add(cG))

  return vG
}

// v = (r + sha256(eG * d))
function stealthDualReceive (d, r, eG) {
  var eQ = eG.multiply(d) // shared secret
  var c = bigi.fromBuffer(bitcoin.crypto.sha256(eQ.getEncoded()))
  var v = new bitcoin.ECPair(r.add(c).mod(n))

  return v
}

describe('bitcoinjs-lib (crypto)', function () {
  it('can generate a single-key stealth address', function () {
    // XXX: should be randomly generated, see next test for example
    var recipient = bitcoin.ECPair.fromWIF('5KYZdUEo39z3FPrtuX2QbbwGnNP5zTd7yyr2SC1j299sBCnWjss') // private to recipient
    var nonce = bitcoin.ECPair.fromWIF('KxVqB96pxbw1pokzQrZkQbLfVBjjHFfp2mFfEp8wuEyGenLFJhM9') // private to sender

    // ... recipient reveals public key (recipient.Q) to sender
    var forSender = stealthSend(nonce.d, recipient.Q)
    assert.equal(getAddress(forSender), '1CcZWwCpACJL3AxqoDbwEt4JgDFuTHUspE')
    assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)

    // ... sender reveals nonce public key (nonce.Q) to recipient
    var forRecipient = stealthReceive(recipient.d, nonce.Q)
    assert.equal(getAddress(forRecipient), '1CcZWwCpACJL3AxqoDbwEt4JgDFuTHUspE')
    assert.equal(forRecipient.toWIF(), 'L1yjUN3oYyCXV3LcsBrmxCNTa62bZKWCybxVJMvqjMmmfDE8yk7n')

    // sender and recipient, both derived same address
    assert.equal(getAddress(forSender), getAddress(forRecipient))
  })

  it('can generate a single-key stealth address (randomly)', function () {
    var recipient = bitcoin.ECPair.makeRandom() // private to recipient
    var nonce = bitcoin.ECPair.makeRandom() // private to sender

    // ... recipient reveals public key (recipient.Q) to sender
    var forSender = stealthSend(nonce.d, recipient.Q)
    assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)

    // ... sender reveals nonce public key (nonce.Q) to recipient
    var forRecipient = stealthReceive(recipient.d, nonce.Q)
    assert.doesNotThrow(function () { forRecipient.toWIF() })

    // sender and recipient, both derived same address
    assert.equal(getAddress(forSender), getAddress(forRecipient))
  })

  it('can recover parent recipient.d, if a derived private key is leaked [and nonce was revealed]', function () {
    var recipient = bitcoin.ECPair.makeRandom() // private to recipient
    var nonce = bitcoin.ECPair.makeRandom() // private to sender

    // ... recipient reveals public key (recipient.Q) to sender
    var forSender = stealthSend(nonce.d, recipient.Q)
    assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)

    // ... sender reveals nonce public key (nonce.Q) to recipient
    var forRecipient = stealthReceive(recipient.d, nonce.Q)
    assert.doesNotThrow(function () { forRecipient.toWIF() })

    // ... recipient accidentally leaks forRecipient.d on the blockchain
    var leaked = stealthRecoverLeaked(forRecipient.d, nonce.d, recipient.Q)
    assert.equal(leaked.toWIF(), recipient.toWIF())
  })

  it('can generate a dual-key stealth address', function () {
    // XXX: should be randomly generated, see next test for example
    var recipient = bitcoin.ECPair.fromWIF('5KYZdUEo39z3FPrtuX2QbbwGnNP5zTd7yyr2SC1j299sBCnWjss') // private to recipient
    var scan = bitcoin.ECPair.fromWIF('L5DkCk3xLLoGKncqKsWQTdaPSR4V8gzc14WVghysQGkdryRudjBM') // private to scanner/recipient
    var nonce = bitcoin.ECPair.fromWIF('KxVqB96pxbw1pokzQrZkQbLfVBjjHFfp2mFfEp8wuEyGenLFJhM9') // private to sender

    // ... recipient reveals public key(s) (recipient.Q, scan.Q) to sender
    var forSender = stealthDualSend(nonce.d, recipient.Q, scan.Q)
    assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)

    // ... sender reveals nonce public key (nonce.Q) to scanner
    var forScanner = stealthDualScan(scan.d, recipient.Q, nonce.Q)
    assert.throws(function () { forScanner.toWIF() }, /Error: Missing private key/)

    // ... scanner reveals relevant transaction + nonce public key (nonce.Q) to recipient
    var forRecipient = stealthDualReceive(scan.d, recipient.d, nonce.Q)
    assert.doesNotThrow(function () { forRecipient.toWIF() })

    // scanner, sender and recipient, all derived same address
    assert.equal(getAddress(forSender), getAddress(forScanner))
    assert.equal(getAddress(forSender), getAddress(forRecipient))
  })

  it('can generate a dual-key stealth address (randomly)', function () {
    var recipient = bitcoin.ECPair.makeRandom() // private to recipient
    var scan = bitcoin.ECPair.makeRandom() // private to scanner/recipient
    var nonce = bitcoin.ECPair.makeRandom() // private to sender

    // ... recipient reveals public key(s) (recipient.Q, scan.Q) to sender
    var forSender = stealthDualSend(nonce.d, recipient.Q, scan.Q)
    assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)

    // ... sender reveals nonce public key (nonce.Q) to scanner
    var forScanner = stealthDualScan(scan.d, recipient.Q, nonce.Q)
    assert.throws(function () { forScanner.toWIF() }, /Error: Missing private key/)

    // ... scanner reveals relevant transaction + nonce public key (nonce.Q) to recipient
    var forRecipient = stealthDualReceive(scan.d, recipient.d, nonce.Q)
    assert.doesNotThrow(function () { forRecipient.toWIF() })

    // scanner, sender and recipient, all derived same address
    assert.equal(getAddress(forSender), getAddress(forScanner))
    assert.equal(getAddress(forSender), getAddress(forRecipient))
  })
})
tests/integration: separate crypto tests 2016-08-13 03:42:53 +02:00			`/* global describe, it */`

rm getAddress 2018-05-22 09:43:25 +02:00			`let assert = require('assert')`
			`let bigi = require('bigi')`
			`let bitcoin = require('../../')`

			`let ecurve = require('ecurve')`
			`let secp256k1 = ecurve.getCurveByName('secp256k1')`
			`let G = secp256k1.G`
			`let n = secp256k1.n`

			`// TODO: remove`
			`let baddress = bitcoin.address`
			`let bcrypto = bitcoin.crypto`
			`function getAddress (node) {`
			`return baddress.toBase58Check(bcrypto.hash160(node.getPublicKeyBuffer()), bitcoin.networks.bitcoin.pubKeyHash)`
			`}`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00
stealth: use \+ to represent point addition 2016-12-10 05:01:41 +01:00			`// vG = (dG \+ sha256(e * dG)G)`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00			`function stealthSend (e, Q) {`
			`var eQ = Q.multiply(e) // shared secret`
			`var c = bigi.fromBuffer(bitcoin.crypto.sha256(eQ.getEncoded()))`
			`var cG = G.multiply(c)`
stealth: more explicit inner variable names 2016-10-05 02:05:28 +02:00			`var vG = new bitcoin.ECPair(null, Q.add(cG))`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00
stealth: more explicit inner variable names 2016-10-05 02:05:28 +02:00			`return vG`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00			`}`

stealth: clarify super simply 2016-12-10 02:34:06 +01:00			`// v = (d + sha256(eG * d))`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00			`function stealthReceive (d, eG) {`
			`var eQ = eG.multiply(d) // shared secret`
			`var c = bigi.fromBuffer(bitcoin.crypto.sha256(eQ.getEncoded()))`
stealth: more explicit inner variable names 2016-10-05 02:05:28 +02:00			`var v = new bitcoin.ECPair(d.add(c).mod(n))`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00
stealth: more explicit inner variable names 2016-10-05 02:05:28 +02:00			`return v`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00			`}`
tests/integration: separate crypto tests 2016-08-13 03:42:53 +02:00
stealth: clarify super simply 2016-12-10 02:34:06 +01:00			`// d = (v - sha256(e * dG))`
			`function stealthRecoverLeaked (v, e, Q) {`
stealth: add stealth child key recover example 2016-11-25 03:42:17 +01:00			`var eQ = Q.multiply(e) // shared secret`
			`var c = bigi.fromBuffer(bitcoin.crypto.sha256(eQ.getEncoded()))`
stealth: clarify super simply 2016-12-10 02:34:06 +01:00			`var d = new bitcoin.ECPair(v.subtract(c).mod(n))`
stealth: add stealth child key recover example 2016-11-25 03:42:17 +01:00
stealth: clarify super simply 2016-12-10 02:34:06 +01:00			`return d`
stealth: add stealth child key recover example 2016-11-25 03:42:17 +01:00			`}`

stealth: use \+ to represent point addition 2016-12-10 05:01:41 +01:00			`// vG = (rG \+ sha256(e * dG)G)`
stealth: add dual key example 2016-12-10 03:52:08 +01:00			`function stealthDualSend (e, R, Q) {`
			`var eQ = Q.multiply(e) // shared secret`
			`var c = bigi.fromBuffer(bitcoin.crypto.sha256(eQ.getEncoded()))`
			`var cG = G.multiply(c)`
stealth: d is not involved in the receiver private key 2016-12-10 04:33:51 +01:00			`var vG = new bitcoin.ECPair(null, R.add(cG))`
stealth: add dual key example 2016-12-10 03:52:08 +01:00
			`return vG`
			`}`

stealth: use \+ to represent point addition 2016-12-10 05:01:41 +01:00			`// vG = (rG \+ sha256(eG * d)G)`
stealth: add dual key example 2016-12-10 03:52:08 +01:00			`function stealthDualScan (d, R, eG) {`
			`var eQ = eG.multiply(d) // shared secret`
			`var c = bigi.fromBuffer(bitcoin.crypto.sha256(eQ.getEncoded()))`
block: use writeUInt32BE for target calculation 2017-03-28 11:26:59 +02:00			`var cG = G.multiply(c)`
			`var vG = new bitcoin.ECPair(null, R.add(cG))`
stealth: add dual key example 2016-12-10 03:52:08 +01:00
			`return vG`
			`}`

stealth: d is not involved in the receiver private key 2016-12-10 04:33:51 +01:00			`// v = (r + sha256(eG * d))`
stealth: add dual key example 2016-12-10 03:52:08 +01:00			`function stealthDualReceive (d, r, eG) {`
			`var eQ = eG.multiply(d) // shared secret`
			`var c = bigi.fromBuffer(bitcoin.crypto.sha256(eQ.getEncoded()))`
stealth: d is not involved in the receiver private key 2016-12-10 04:33:51 +01:00			`var v = new bitcoin.ECPair(r.add(c).mod(n))`
stealth: add dual key example 2016-12-10 03:52:08 +01:00
			`return v`
			`}`

tests/integration: separate crypto tests 2016-08-13 03:42:53 +02:00			`describe('bitcoinjs-lib (crypto)', function () {`
			`it('can generate a single-key stealth address', function () {`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00			`// XXX: should be randomly generated, see next test for example`
			`var recipient = bitcoin.ECPair.fromWIF('5KYZdUEo39z3FPrtuX2QbbwGnNP5zTd7yyr2SC1j299sBCnWjss') // private to recipient`
			`var nonce = bitcoin.ECPair.fromWIF('KxVqB96pxbw1pokzQrZkQbLfVBjjHFfp2mFfEp8wuEyGenLFJhM9') // private to sender`

			`// ... recipient reveals public key (recipient.Q) to sender`
			`var forSender = stealthSend(nonce.d, recipient.Q)`
rm getAddress 2018-05-22 09:43:25 +02:00			`assert.equal(getAddress(forSender), '1CcZWwCpACJL3AxqoDbwEt4JgDFuTHUspE')`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00			`assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)`

			`// ... sender reveals nonce public key (nonce.Q) to recipient`
			`var forRecipient = stealthReceive(recipient.d, nonce.Q)`
rm getAddress 2018-05-22 09:43:25 +02:00			`assert.equal(getAddress(forRecipient), '1CcZWwCpACJL3AxqoDbwEt4JgDFuTHUspE')`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00			`assert.equal(forRecipient.toWIF(), 'L1yjUN3oYyCXV3LcsBrmxCNTa62bZKWCybxVJMvqjMmmfDE8yk7n')`

			`// sender and recipient, both derived same address`
rm getAddress 2018-05-22 09:43:25 +02:00			`assert.equal(getAddress(forSender), getAddress(forRecipient))`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00			`})`

			`it('can generate a single-key stealth address (randomly)', function () {`
			`var recipient = bitcoin.ECPair.makeRandom() // private to recipient`
			`var nonce = bitcoin.ECPair.makeRandom() // private to sender`

			`// ... recipient reveals public key (recipient.Q) to sender`
			`var forSender = stealthSend(nonce.d, recipient.Q)`
			`assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)`

			`// ... sender reveals nonce public key (nonce.Q) to recipient`
			`var forRecipient = stealthReceive(recipient.d, nonce.Q)`
			`assert.doesNotThrow(function () { forRecipient.toWIF() })`

			`// sender and recipient, both derived same address`
rm getAddress 2018-05-22 09:43:25 +02:00			`assert.equal(getAddress(forSender), getAddress(forRecipient))`
tests/integration: separate crypto tests 2016-08-13 03:42:53 +02:00			`})`

stealth: add stealth child key recover example 2016-11-25 03:42:17 +01:00			`it('can recover parent recipient.d, if a derived private key is leaked [and nonce was revealed]', function () {`
			`var recipient = bitcoin.ECPair.makeRandom() // private to recipient`
			`var nonce = bitcoin.ECPair.makeRandom() // private to sender`

			`// ... recipient reveals public key (recipient.Q) to sender`
			`var forSender = stealthSend(nonce.d, recipient.Q)`
			`assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)`

			`// ... sender reveals nonce public key (nonce.Q) to recipient`
			`var forRecipient = stealthReceive(recipient.d, nonce.Q)`
			`assert.doesNotThrow(function () { forRecipient.toWIF() })`

			`// ... recipient accidentally leaks forRecipient.d on the blockchain`
			`var leaked = stealthRecoverLeaked(forRecipient.d, nonce.d, recipient.Q)`
			`assert.equal(leaked.toWIF(), recipient.toWIF())`
			`})`

stealth: add randomly 2016-12-10 04:37:14 +01:00			`it('can generate a dual-key stealth address', function () {`
stealth: add dual key example 2016-12-10 03:52:08 +01:00			`// XXX: should be randomly generated, see next test for example`
			`var recipient = bitcoin.ECPair.fromWIF('5KYZdUEo39z3FPrtuX2QbbwGnNP5zTd7yyr2SC1j299sBCnWjss') // private to recipient`
			`var scan = bitcoin.ECPair.fromWIF('L5DkCk3xLLoGKncqKsWQTdaPSR4V8gzc14WVghysQGkdryRudjBM') // private to scanner/recipient`
			`var nonce = bitcoin.ECPair.fromWIF('KxVqB96pxbw1pokzQrZkQbLfVBjjHFfp2mFfEp8wuEyGenLFJhM9') // private to sender`

			`// ... recipient reveals public key(s) (recipient.Q, scan.Q) to sender`
			`var forSender = stealthDualSend(nonce.d, recipient.Q, scan.Q)`
			`assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)`

			`// ... sender reveals nonce public key (nonce.Q) to scanner`
			`var forScanner = stealthDualScan(scan.d, recipient.Q, nonce.Q)`
			`assert.throws(function () { forScanner.toWIF() }, /Error: Missing private key/)`

			`// ... scanner reveals relevant transaction + nonce public key (nonce.Q) to recipient`
			`var forRecipient = stealthDualReceive(scan.d, recipient.d, nonce.Q)`
			`assert.doesNotThrow(function () { forRecipient.toWIF() })`

			`// scanner, sender and recipient, all derived same address`
rm getAddress 2018-05-22 09:43:25 +02:00			`assert.equal(getAddress(forSender), getAddress(forScanner))`
			`assert.equal(getAddress(forSender), getAddress(forRecipient))`
stealth: add dual key example 2016-12-10 03:52:08 +01:00			`})`
stealth: add randomly 2016-12-10 04:37:14 +01:00
			`it('can generate a dual-key stealth address (randomly)', function () {`
			`var recipient = bitcoin.ECPair.makeRandom() // private to recipient`
			`var scan = bitcoin.ECPair.makeRandom() // private to scanner/recipient`
			`var nonce = bitcoin.ECPair.makeRandom() // private to sender`

			`// ... recipient reveals public key(s) (recipient.Q, scan.Q) to sender`
			`var forSender = stealthDualSend(nonce.d, recipient.Q, scan.Q)`
			`assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)`

			`// ... sender reveals nonce public key (nonce.Q) to scanner`
			`var forScanner = stealthDualScan(scan.d, recipient.Q, nonce.Q)`
			`assert.throws(function () { forScanner.toWIF() }, /Error: Missing private key/)`

			`// ... scanner reveals relevant transaction + nonce public key (nonce.Q) to recipient`
			`var forRecipient = stealthDualReceive(scan.d, recipient.d, nonce.Q)`
			`assert.doesNotThrow(function () { forRecipient.toWIF() })`

			`// scanner, sender and recipient, all derived same address`
rm getAddress 2018-05-22 09:43:25 +02:00			`assert.equal(getAddress(forSender), getAddress(forScanner))`
			`assert.equal(getAddress(forSender), getAddress(forRecipient))`
stealth: add randomly 2016-12-10 04:37:14 +01:00			`})`
tests/integration: separate crypto tests 2016-08-13 03:42:53 +02:00			`})`